[squid-users] squid3 : Really need to use external (slow) acl with peer_cache_access

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 27 03:39:45 UTC 2017 

On 25/01/2017 10:29 p.m., hoper at free.fr wrote:
> 
> Hi everybody,
> 
> I really try to find a answer with google, and within
> the archives of this mailing list but couldn't find anything
> so... here I am...
> 
> I need to select a squid parent based on the login of the
> user (and others things). With squid 2.7, I had a configuration
> like this one :
> 
> -------------------------------------------------------------
> cache_peer 169.254.1.1 parent 3128 0 default name=parent1
> cache_peer 169.254.1.2 parent 3128 0 default name=parent2
> [...] (many parents)
> 
> external_acl_type choose_parent ttl=60,children-max=1 %EXT_USER %SRC %LOGIN %ACL /home/user/myhelper.sh
> acl p0 external choose_parent
> 
> external_acl_type myparent1 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
> acl p1 external myparent1
> external_acl_type myparent2 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
> acl p2 external myparent2
> [...]
> 
> cache_peer_access parent1 allow p1
> cache_peer_access parent2 allow p2
> [...]
> 
> cache_peer_access path1 deny all
> cache_peer_access path2 deny all
> [...]
> 
> ---------------------------------------------------------------
> 
> The idea is to deny all squid parents except the one I want this user
> (with this specific IP and so on) to use.
> 
> But with squid3, I just have lot's of error in cache.log:
> 
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(868) aclMatchExternal: myparent1("p1 p1") = lookup needed
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(871) aclMatchExternal: "p1 p1": queueing a call.
> 2017/01/25 10:22:16.053 kid1| Checklist.cc(115) goAsync: 0x7fff415cf470 a fast-only directive uses a slow ACL!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(873) aclMatchExternal: "p1 p1": no async support!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(874) aclMatchExternal: "p1 p1": return -1.
> 
> The documentation made it perfectly clear that "cache_peer_acccess" is a "fast ACL" that can only use fast ones...
> But I really need to use external "slow" acl. Please, is there a way to do it ?
> Again, this was working in 2.7 :(


Well, no. 2.7 was just being silent about the situation and guessing
whether you wanted OK/ERR result. Whereas Squid-3 tells you when the
fast-only cannot handle the ACL check results.

What you need to do is perform the external ACL check during one of the
*_access checks that permites slow lookups. eg. http_access.

Then use the 'note' ACL type in your fast-only access controls to check
some annotation that the helper returns to Squid.

Amos

More information about the squid-users mailing list